School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers Online
School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers Online
Jeremiah Fowler
Jeremiah Fowler
July 27, 2023
School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers Online
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet a non-password protected database that contained 680k records. Upon further investigation, it was identified that these records were related to educational institutions. Documents inside the database suggested that it belonged to the Southern Association of Independent Schools, Inc (SAIS).
In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records, to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered. The database contained a diverse collection of sensitive records that, when exposed, could unlock a wide range of potential risks. The files included multiple types of student and teacher records, health information, teacher background checks and social security numbers (SSN), active shooter and lockdown notifications, maps of schools, financial budgets, and much more. The documents ranged in date from 2012-2023.
One of the most interesting things I saw was third-party security reports marked as confidential that reviewed weaknesses in school security, locations of cameras, access and entry points, and more. These documents could pose a potentially serious real world security risk to the safety of students and teachers. I immediately sent a responsible disclosure notice to SAIS and received a reply thanking me for the notification and promising that they would take action. The database was quickly secured from public access.
Southern Association of Independent Schools, Inc (SAIS) is a non-profit organization that supports schools and educators in the United States and several other countries. SAIS has been in operation for over 40 years. According to its website: [With] more than 380 member K-12 schools from 14 U.S. states, the Caribbean, and Latin America (representing 220,000+ students), SAIS is the largest regional independent school association in the country.
It is my understanding that the SAIS accreditation requires a broad range of detailed information from each school. The documents I saw in the database indicate possible requirements that include the following:
The school’s purpose, values, and educational philosophy.
Curriculum maps, course catalogs, scope and sequence documents, and other materials that outline the educational program offered.
Faculty credentials, qualifications, degrees, certifications, background checks, and professional development records.
Student and faculty guidelines, policies, and procedures related to student conduct, academic integrity, disciplinary actions, and faculty responsibilities.
Documentation related to the school’s financial statements, budget reports, or other financial records.
Information about the school’s facilities, safety protocols, emergency response plans, building codes, and health department regulations.
Contact details of parents or guardians and emergency notifications.
Health-related data, including medical history, immunization records, allergies, and any special accommodations or health concerns that may affect a student’s well-being at school.
What the database contained
Total number of records: 682,438 with a total size of 572.8 GB.
Documents were in a wide range of formats, including: PDF, Excel, PPTX, doc, docx, png, jpg, pages, and more.
Internal documents from multiple schools and educational institutions, which contained personally identifiable information (PII) and private medical information of students.
Teacher, faculty, and staff information such as qualifications, interviews, background checks, drug and alcohol testing, salary information, and more.
Other notable documents included budgets and financial reports, vehicle registrations, insurance policies, tax records, training documents, manuals, and other miscellaneous guides or certificates.
Jeremiah Fowler
Jeremiah Fowler
July 27, 2023
School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers Online
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet a non-password protected database that contained 680k records. Upon further investigation, it was identified that these records were related to educational institutions. Documents inside the database suggested that it belonged to the Southern Association of Independent Schools, Inc (SAIS).
In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records, to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered. The database contained a diverse collection of sensitive records that, when exposed, could unlock a wide range of potential risks. The files included multiple types of student and teacher records, health information, teacher background checks and social security numbers (SSN), active shooter and lockdown notifications, maps of schools, financial budgets, and much more. The documents ranged in date from 2012-2023.
One of the most interesting things I saw was third-party security reports marked as confidential that reviewed weaknesses in school security, locations of cameras, access and entry points, and more. These documents could pose a potentially serious real world security risk to the safety of students and teachers. I immediately sent a responsible disclosure notice to SAIS and received a reply thanking me for the notification and promising that they would take action. The database was quickly secured from public access.
Southern Association of Independent Schools, Inc (SAIS) is a non-profit organization that supports schools and educators in the United States and several other countries. SAIS has been in operation for over 40 years. According to its website: [With] more than 380 member K-12 schools from 14 U.S. states, the Caribbean, and Latin America (representing 220,000+ students), SAIS is the largest regional independent school association in the country.
It is my understanding that the SAIS accreditation requires a broad range of detailed information from each school. The documents I saw in the database indicate possible requirements that include the following:
The school’s purpose, values, and educational philosophy.
Curriculum maps, course catalogs, scope and sequence documents, and other materials that outline the educational program offered.
Faculty credentials, qualifications, degrees, certifications, background checks, and professional development records.
Student and faculty guidelines, policies, and procedures related to student conduct, academic integrity, disciplinary actions, and faculty responsibilities.
Documentation related to the school’s financial statements, budget reports, or other financial records.
Information about the school’s facilities, safety protocols, emergency response plans, building codes, and health department regulations.
Contact details of parents or guardians and emergency notifications.
Health-related data, including medical history, immunization records, allergies, and any special accommodations or health concerns that may affect a student’s well-being at school.
What the database contained
Total number of records: 682,438 with a total size of 572.8 GB.
Documents were in a wide range of formats, including: PDF, Excel, PPTX, doc, docx, png, jpg, pages, and more.
Internal documents from multiple schools and educational institutions, which contained personally identifiable information (PII) and private medical information of students.
Teacher, faculty, and staff information such as qualifications, interviews, background checks, drug and alcohol testing, salary information, and more.
Other notable documents included budgets and financial reports, vehicle registrations, insurance policies, tax records, training documents, manuals, and other miscellaneous guides or certificates.